It's 12:30 EDT 7/18/16 -- did Firefox just send out a Patch to be downloaded and installed?
I was just interrupted in my browsing by a "flash screen" which had the Firefox logo and a dialogue asking me to download a Patch. I've downloaded by not opened the patch to install it. This is the first time in decades of computer work that I've every seen anything like this. Is this a legit Firefox patch? Or some sort of hack?
Wšě wotmołwy (4)
Probably malware do not open or run that.
I will post more details later.
As you say this is malware. Do not run or open the file. What is the name of the file you received and is it a .js or .exe type: Bothe are executable and will run if you are not careful.
We are trying to find our more about this. The trojan could be particularly dangerous and possibly able to reside in the memory and registry without using files, that makes it dificult to detect and remove.
There are two things you could do.
- First just in case you are infected with this malware use a specific removal tool. (That's only necessary if the file may have run)
- Second if you would like to help us see if you can catch the actual advert and its details. (The orange splash screen in a full page of its own does not help as the malware keeps changing the site it uses for that)
Note the removal tool will tell you if you if it does not find anything. If it does find something it will generate a log file. It would be interesting to see the content of the log file if one is generated. It is probably safer and good policy not to use an Admin account for day to day computer work and ordinary Browsing, however note you do need to run the removal tool from an Admin account.
- Notes & tool link: "Symantec Official Blog Kovter malware learns from Poweliks with persistent fileless registry update" http://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update
- Instructions for Trojan.Kotver Removal Tool https://www.symantec.com/security_response/writeup.jsp?docid=2015-092321-2230-99
- https://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixToolKotver64.exe https://www.symantec.com/content/en/us/enterprise/media/security_response/tools/FixToolKotver32.exe
- I have deliberately broken those links as it is against forum policy to post links to executables ln the forum. Please use the link in the Instructions page, OR copy and paste the address into your addressbar
These are the instructions for catching the ad information
{#c16}If ... affected users) could tell us what the ad URLs are, that would be helpful.
They would need to right-click on the ad image, choose "This Frame -> View Frame Info", and copy/paste the following info:
General tab: Address (URL)
Media tab: Location (URL) of each item in the list of media in that frame.
This will help us isolate the affected ad networks so we can contact them and inform them of the malware.
Thanks!
Did NOT run. It's a .js file. As soon as I saw the non-Firefox "logo" on the file it looked suspicious so I did not run. Will delete now.
hope a solution is found soon.
Wot cliffontheroad